CVE-2025-46723 is a high-severity vulnerability identified in version 1.0.0 of OpenVM, a performant and modular zkVM (zero-knowledge virtual machine) framework designed for customization and extensibility. The vulnerability arises from an incorrect calculation of buffer size during the byte decomposition of the program counter (pc) in the AUIPC chip component of OpenVM. Specifically, a typographical error causes the highest limb of the pc to be range-checked against an 8-bit limit instead of the intended 6-bit limit. The enumeration controlling the range check incorrectly iterates over i=0,1,2 instead of i=1,2,3, which means the pc_limbs[3] element is improperly validated. This discrepancy leads to a mismatch between the decomposed pc limbs and the true pc value. As a result, a malicious prover can exploit this overflow in the BabyBear field to manipulate the destination register's value, causing it to diverge from what the AUIPC instruction dictates. This can lead to unauthorized control flow or data manipulation within the virtual machine. The vulnerability has been addressed and patched in OpenVM version 1.1.0. The CVSS 4.0 base score is 7.8 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with high impact on integrity and availability. No known exploits are currently reported in the wild.

For European organizations utilizing OpenVM version 1.0.0, this vulnerability poses a significant risk to the integrity and availability of their zkVM-based applications. Since OpenVM is used for zero-knowledge proof computations, which are critical in privacy-preserving applications such as blockchain, confidential computing, and secure multiparty computations, exploitation could allow attackers to subvert the correctness of computations or cause denial of service by corrupting execution state. This could lead to unauthorized transaction approvals, data tampering, or service disruptions. Given the high integrity impact, organizations relying on OpenVM for secure computation or cryptographic proofs may face compliance and trust issues, especially under stringent European data protection regulations like GDPR. The lack of required privileges or user interaction means that exploitation could be automated and remotely executed, increasing the threat surface. However, the absence of known exploits in the wild currently reduces immediate risk but does not eliminate it.

European organizations should prioritize upgrading OpenVM to version 1.1.0 or later, where this vulnerability is patched. In environments where immediate upgrade is not feasible, organizations should implement strict input validation and sandboxing around the AUIPC chip operations to detect and prevent anomalous pc limb decompositions. Employ runtime integrity checks to monitor the consistency of the program counter and destination registers during execution. Additionally, restrict network access to systems running vulnerable OpenVM instances to trusted sources only, reducing exposure to remote exploitation. Incorporate continuous monitoring and anomaly detection for zkVM operations to identify potential exploitation attempts. Finally, maintain an inventory of all systems using OpenVM to ensure comprehensive patch management and vulnerability remediation.